So I have outside users who we would like to manage updates for now. I currently have one WSUS server and Patch Manager PAS here that I manage. I set up a second downstream WSUS server and set it to not store files locally so that outside users can get approvals from it but download the files from microsoft. All of this is working fine. I would like to have the ability to manage third party updates for them as well but im not sure what I have to set up to get that to happen. If anyone else is already doing this and has some clue that would be great.

With Patch Manager, that is not really a workable setup for 3rd party stuff to work. Since the 3rd party updates are published to a WSUS environment, the machines need to be able to check into that WSUS server (or a downstream server in that environment) for 3rd party stuff to work. If the machines are configured to get the content from Microsoft, that won't work since Microsoft won't have the content for any of the 3rd party updates.

Kelly, I have a strange thing happening. Since my WSUS02 is downstream it seems to be synchronizing when i publish updates on the WSUS01. Is this going to cause any problems or it should be fine since I just wouldnt approve the updates for WSUS02?

New Update Alert

The following 5 new updates have been synchronized to WSUS02 since Thursday, July 20, 2017 8:00 PM (GMT).

Critical and Security Updates

No new critical or security updates were synchronized.

Other Updates

FileZilla Client 3.27.0 (x86) (Upgrade) Upgrade only.The package requires a previous version exist. This version addresses bug-fixes. Note - This package will install/upgrade Filezilla Client for all existing users in the client machine.

FileZilla Client 3.27.0 (x64) (Upgrade) Upgrade only.The package requires a previous version to exist. This version addresses bug-fixes. Note - This package will install/upgrade Filezilla Client for all existing users in the client machine.

Opera 46.0.2597.57 (Upgrade) Upgrade only.This version contains bug fixes. This package require a previous version Opera Chromium 15.x or above exist to be applicable.This package will upgrade only Opera Chromium versions 15.x and above. This package will not detect/Upgrade Opera Chromium installed in custom locations and User-level installations. Opera will not function properly if this package applied to a machine which has opera installed at user level. It is recommended to remove user-level installed versions before applying this package.

Office 365 Client Update - Current Channel Version 1706 for x64 based Edition (Build 8229.2103) The Office 365 Client Update enables updates to be delivered to desktop clients via System Center Configuration Manager Software Update Management workflow engine. These updates are applicable for the following SKUs: Office 365 ProPlus, Office 365 Business, Visio Pro for Office 365, and Project Pro for Office 365. For a detailed list of updates, see http://aka.ms/OfficeReleaseNotes. Important: This update is not intended to be directly deployed via Windows Server Update Services (WSUS). To deploy this update, you will need to use System Center Configuration Manager.

Office 365 Client Update - Current Channel Version 1706 for x86 based Edition (Build 8229.2103) The Office 365 Client Update enables updates to be delivered to desktop clients via System Center Configuration Manager Software Update Management workflow engine. These updates are applicable for the following SKUs: Office 365 ProPlus, Office 365 Business, Visio Pro for Office 365, and Project Pro for Office 365. For a detailed list of updates, see http://aka.ms/OfficeReleaseNotes. Important: This update is not intended to be directly deployed via Windows Server Update Services (WSUS). To deploy this update, you will need to use System Center Configuration Manager.

if you publish 3rd party updates to the upstream server (which you have to - you can't publish them directly to a downstream), they will be treated just like every other update once they are "on" the upstream WSUS. That means that they will sync the updates down to the downstream servers. If the downstream server is a replica downstream wsus, it will also sync down the approvals. If the downstream server is an autonoumous downstream wsus, then approvals would/could be handled independently for that autonomous downstream.

So, if it is a downstream autonomous wsus server and you're not going to approve them, i don't see an issue.

If it is a downstream replica wsus and therefore inherits the approval action as well, that could be an issue (though those updates would simply fail since the content isn't there). the biggest issue there would just be that the machines would potentially constantly "see" the updates they can't get.